| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Apparently SELinux inserts control data into AF_UNIX datagrams where we
don't expect it, thus miscalculating the control data. This looks like
something to fix in SELinux, but we still should handle this gracefully
and just drop the offending datagram and continue.
recvmsg_safe() actually already drops the datagram, it's just a matter
of actually ignoring EXFULL (which it generates if control data is too
large) in the right places.
This does this wherever an AF_UNIX/SOCK_DGRAM socket is used with
recvmsg_safe() that is not just internal communication.
Fixes: #17795
Follow-up for: 3691bcf3c5eebdcca5b4f1c51c745441c57a6cd1
(cherry picked from commit 741bfd7f4e60fdc07ecaadbd93f1196dbee657ca)
(cherry picked from commit b7e0ac754eba3c91b76dc7b92802716144b569b8)
|
|
|
|
|
|
|
|
|
|
| |
Previously, if an interface does not have SSID, e.g. run in mesh-point
type, then the wifi iftype obtained by the netlink call was ignored.
Fixes #18059.
(cherry picked from commit a66a402da471f6230ab8674fd2c1df6d918773b5)
(cherry picked from commit fc4eae72f8dd34a334b2707614d9c07974d4d604)
|
|
|
|
|
| |
(cherry picked from commit a5330078158cbd5070e42fd3f91ecb570e210359)
(cherry picked from commit 3885103672047e52c22c8d338baec8598208ca4a)
|
|
|
|
|
|
|
|
|
|
| |
It looks like zero'ing the struct is not enough, and with some level
of optimizations there is still non-zero padding left over.
Switch to member-by-member initialization. Also convert all remaining
bpf_attr variables in other files.
(cherry picked from commit 9ca600e2bfacc52a65c89f3485723b2c27394e55)
(cherry picked from commit 95ee2c6b481b7a1f953cb720c35df568b7a6cb70)
|
|
|
|
|
|
|
|
|
|
|
| |
When building with Clang and using structured initialization, the
bpf_attr union is not zero-padded, so the kernel misdetects it as
an unsupported extension.
zero it until Clang's behaviour matches GCC. Do not skip the test
on Github Actions anymore.
(cherry picked from commit 28abf5ad3483a417d3d4de561533d282493a7f2a)
(cherry picked from commit 94bb28590b21f37bcd9b831029af05a8a78f49ef)
|
|
|
|
|
|
|
|
| |
Fixes oss-fuzz#28817.
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28817
(cherry picked from commit 8786d4bbe43b5f6493982bcb5211e010f99deb57)
(cherry picked from commit cefb123e8ab65772a2a609081ca34ac6ea1267d6)
|
|
|
|
|
| |
(cherry picked from commit 805d67c565d57e0915162164f7e5e3026a29a2c5)
(cherry picked from commit 2a76d510d9c50dd8f4bd21194cf3f457760aea52)
|
|
|
|
|
| |
(cherry picked from commit adce225a104d0b7503aa7322db15d1c6dd8b8093)
(cherry picked from commit b7f69284f1eb21c51cb659a96685cffc6c472ffd)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously, we'd already have explicit logging for the case where
$XDG_RUNTIME_DIR is not set. Let's also add some explicit logging for
the EPERM/ACCESS case. Let's also in both cases suggest the
--machine=<user>@.host syntax.
And while we are at it, let's remove side-effects from the macro.
By checking for both the EPERM/EACCES case and the $XDG_RUNTIME_DIR case
we will now catch both the cases where people use "su" to issue a
"systemctl --user" operation, and those where they (more correctly, but
still not good enough) call "su -".
Fixes: #17901
(cherry picked from commit 1ecb46724cae151606bc825f0e39f14d4dfe1a0e)
(cherry picked from commit 36bc4a18fd8117cab0d4ff02eac89579a86cd399)
|
|
|
|
|
|
|
|
|
|
| |
This commit adds support for disabling the read and write
workqueues with the new crypttab options no-read-workqueue
and no-write-workqueue. These correspond to the cryptsetup
options --perf-no_read_workqueue and --perf-no_write_workqueue
respectively.
(cherry picked from commit 227acf0009bde2cd7f8bc371615b05e84137847d)
|
|
|
|
|
|
|
| |
Fixes: #17129.
(cherry picked from commit dee29aeb5909f4f5604012ced250488286b8d468)
https://github.com/systemd/systemd-stable/issues/76
|
|
|
|
|
|
|
|
| |
This follows more closely what web browsers do, and makes sure emojis in
domains work.
Fixes: #14483
(cherry picked from commit d80e72ec602c2af2983842ad87e4443fce89d423)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This reverts the gist of da1921a5c396547261c8c7fcd94173346eb3b718 and
0d9fca76bb69e162265b2d25cb79f1890c0da31b (for ppc).
Quoting #17559:
> libseccomp 2.5 added socket syscall multiplexing on ppc64(el):
> https://github.com/seccomp/libseccomp/pull/229
>
> Like with i386, s390 and s390x this breaks socket argument filtering, so
> RestrictAddressFamilies doesn't work.
>
> This causes the unit test to fail:
> /* test_restrict_address_families */
> Operating on architecture: ppc
> Failed to install socket family rules for architecture ppc, skipping: Operation canceled
> Operating on architecture: ppc64
> Failed to add socket() rule for architecture ppc64, skipping: Invalid argument
> Operating on architecture: ppc64-le
> Failed to add socket() rule for architecture ppc64-le, skipping: Invalid argument
> Assertion 'fd < 0' failed at src/test/test-seccomp.c:424, function test_restrict_address_families(). Aborting.
>
> The socket filters can't be added so `socket(AF_UNIX, SOCK_DGRAM, 0);` still
> works, triggering the assertion.
Fixes #17559.
(cherry picked from commit d5923e38bc0e6cf9d7620ed5f1f8606fe7fe1168)
|
|
|
|
|
|
| |
Follow-up for 5abede3247591248718026cb8be6cd231de7728b.
(cherry picked from commit 11b9105dfdbcea5dc9f4a5dd676ca494ab8b909e)
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
These three syscalls are internally used by libc's memory allocation
logic, i.e. ultimately back malloc(). Allocating a bit of memory is so
basic, it should just be in the default set.
This fixes a couple of issues with asan/msan and the seccomp tests: when
asan/msan is used some additional, large memory allocations take place
in the background, and unless mmap/mmap2/brk are allowlisted these will
fail, aborting the test prematurely.
(cherry picked from commit 5abede3247591248718026cb8be6cd231de7728b)
|
|
|
|
|
|
|
|
| |
driver name is empty
Inspired by #17532.
(cherry picked from commit 861de64e6858bc92b154ad70d1cee41ae5b75835)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The idea is that we have strvs like list of server names or addresses, where
the majority of strings is rather short, but some are long and there can
potentially be many strings. So formattting them either all on one line or all
in separate lines leads to output that is either hard to read or uses way too
many rows. We want to wrap them, but relying on the pager to do the wrapping is
not nice. Normal text has a lot of redundancy, so when the pager wraps a line
in the middle of a word the read can understand what is going on without any
trouble. But for a high-density zero-redundancy text like an IP address it is
much nicer to wrap between words. This also makes c&p easier.
This adds a variant of TABLE_STRV which is wrapped on output (with line breaks
inserted between different strv entries).
The change table_print() is quite ugly. A second pass is added to re-calculate
column widths. Since column size is now "soft", i.e. it can adjust based on
available columns, we need to two passes:
- first we figure out how much space we want
- in the second pass we figure out what the actual wrapped columns
widths will be.
To avoid unnessary work, the second pass is only done when we actually have
wrappable fields.
A test is added in test-format-table.
(cherry picked from commit b0e3d799891c4633bd2b0d88e4ed2c741bbcd532)
|
|
|
|
| |
(cherry picked from commit 6f8ca84c9b64c81add286790a7ffcc2eed569b27)
|
|
|
|
|
|
| |
dns list shall not be sorted.
(cherry picked from commit af781878d5986127ca00831c4b524c2b62649823)
|
|
|
|
|
|
|
|
|
|
| |
By making them unsigned comparing them with other sizes is less likely
to trigger compiler warnings regarding signed/unsigned comparisons.
After all sizes (i.e. size_t) are generally assumed to be unsigned, so
these should be too.
Prompted-by: https://github.com/systemd/systemd/pull/17345#issuecomment-709402332
(cherry picked from commit 67bd5620f6cf481c0a59cedbcf63ddcab355cc55)
|
|
|
|
|
|
|
|
| |
p itself is never null. Because of this, we would always
call sd_notify() in cleanup, even though the intention was to only
call it if notify_start() was executed.
(cherry picked from commit 297fc20dc469694f054ed2be4358eb21efe89660)
|
|
|
|
|
|
|
|
|
| |
We would return ENOENT, which is extremely confusing. Strace is not helpful because
no *file* is actually missing. So let's add some logs at debug level and also use
a custom return code. Let all user-facing utilities print a custom error message
in that case.
(cherry picked from commit ab4a88eb920e2f64a79a60c1ea9aecb7907a9635)
|
|
|
|
|
|
|
| |
Clarify that the name of the entry failed validation, not the entry
itself.
(cherry picked from commit dfc22cb4724851990d3d2ebcc2404a708e1b7223)
|
|
|
|
|
|
|
|
|
|
|
|
| |
While a server is in the VARLINK_PENDING_METHOD or VARLINK_PENDING_METHOD_MORE
states and its write end is disconnected and it gets a POLLHUP, we
should disconnect since it can't write anymore.
In the case of systemd-oomd disconnecting while pid1 was pending-more, this
condition left pid1 in a state where it started throttling from
continually getting POLLHUP.
(cherry picked from commit e8e9227f5c3f8d47bec1d57a2801b22d53d0b341)
|
|
|
|
|
|
|
|
|
|
| |
I can't think of any real vulnerability about this, but it still feels
better to check a variable with "secure" in its name with
secure_getenv() rather than plain getenv().
Paranoia FTW!
(cherry picked from commit b8f736b30e20a2b44e7c34bb4e43b0d97ae77e3c)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The variable is renamed to SYSTEMD_PAGERSECURE (because it's not just about
less now), and we automatically enable secure mode in certain cases, but not
otherwise.
This approach is more nuanced, but should provide a better experience for
users:
- Previusly we would set LESSSECURE=1 and trust the pager to make use of
it. But this has an effect only on less. We need to not start pagers which
are insecure when in secure mode. In particular more is like that and is a
very popular pager.
- We don't enable secure mode always, which means that those other pagers can
reasonably used.
- We do the right thing by default, but the user has ultimate control by
setting SYSTEMD_PAGERSECURE.
Fixes #5666.
v2:
- also check $PKEXEC_UID
v3:
- use 'sd_pid_get_owner_uid() != geteuid()' as the condition
(cherry picked from commit 0a42426d797406b4b01a0d9c13bb759c2629d108)
|
|
|
|
|
|
|
|
|
|
|
| |
Some extra safety when invoked via "sudo". With this we address a
genuine design flaw of sudo, and we shouldn't need to deal with this.
But it's still a good idea to disable this surface given how exotic it
is.
Prompted by #5666
(cherry picked from commit 612ebf6c913dd0e4197c44909cb3157f5c51a2f0)
|
|
|
|
| |
(cherry picked from commit 6ea0d25c573c6ef64f62333b7e850067a202c7ee)
|
|
|
|
| |
(cherry picked from commit e2d839d316b006fe86b1f156d90da35fa0857bfb)
|
|
|
|
| |
(cherry picked from commit 7b121df640475a3c8b9891a307f562abc754293d)
|
|
|
|
|
|
|
|
|
| |
an enveloping partition table
If this happens this should just mean: we couldn't find the ESP.
Fixes: #17122
(cherry picked from commit 7ea3024b508ac7166851bd8728ac31802586d614)
|
|
|
|
|
|
|
|
|
| |
This is like membarrier() I guess and basically just exposes CPU
functionality via kernel syscall on some archs. Let's whitelist it for
everyone.
Fixes: #17197
(cherry picked from commit 8e24b1d23f5fa711bfdfd38bcfef525de04cd3c1)
|
|
|
|
|
|
| |
handle this
(cherry picked from commit 77ad674b51ceb598aae1adaa7abe572ad0262f39)
|
|
|
|
|
|
|
| |
The RTC is like just off, it's a weird system state, let's continue
without requiring pw change.
(cherry picked from commit 3e0b54867e22523cffda3b80e179df89b6d81bcd)
|
|
|
|
|
|
|
|
| |
This likely indicates that the system clock is simply wrong, hence allow
access in this case.
Fixes: #15917
(cherry picked from commit 61a29a020c5c6611a22a84c1456e8da7aa656194)
|
|
|
|
|
|
|
| |
This might happen if the system clock is wrong, and we should allow
access in this case (though certainly log about it).
(cherry picked from commit 51a95db6dcb720608eccaac01328b66ef7cc0d30)
|
|
|
|
| |
(cherry picked from commit 3afda7c7976c25db786948a961873fa5c2c8e0e9)
|
|
|
|
|
|
|
|
|
|
|
|
| |
Let's suppress the secondary arch data, since we never ever want to
mount it if we found the primary arch.
Previously we only suppressed in the Verity case, but there's little
reason to entertain the idea of a secondary arch in non-Verity
environments either, we are not going to use them, and should not do
decryption or anything like that.
(cherry picked from commit 74cb2db9f403dfe17cabc6dac48b0f49a84eb03f)
|
|
|
|
| |
(cherry picked from commit d8ea7f838b1199d240d522ee3ce05d1c263b7ad4)
|
|
|
|
|
|
|
|
| |
cryptsetup: Fix null pointer dereference
Fix null pointer dereference in the pkcs11 related code of systemd-cryptsetup
(cherry picked from commit 664ad0f6f54257643fa069d9e1e9cad0f6fd7cc3)
|
|
|
|
| |
(cherry picked from commit d157714b6819d9e4faa93ef64a5041d5a8ae4779)
|
|
|
|
|
|
|
| |
And add a comment for the existing cases where things aren't clear
already.
(cherry picked from commit d161680e7afb7ae01593ffc5deb6c02bbc08ed19)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
/run/host
Let's make /run/host the sole place we pass stuff from host to container
in and place the "inaccessible" nodes in /run/host too.
In contrast to the previous two commits this is a minor compat break, but
not a relevant one I think. Previously the container manager would place
these nodes in /run/systemd/inaccessible/ and that's where PID 1 in the
container would try to add them too when missing. Container manager and
PID 1 in the container would thus manage the same dir together.
With this change the container manager now passes an immutable directory
to the container and leaves /run/systemd entirely untouched, and managed
exclusively by PID 1 inside the container, which is nice to have clear
separation on who manages what.
In order to make sure systemd then usses the /run/host/inaccesible/
nodes this commit changes PID 1 to look for that dir and if it exists
will symlink it to /run/systemd/inaccessible.
Now, this will work fine if new nspawn and new pid 1 in the container
work together. as then the symlink is created and the difference between
the two dirs won't matter.
For the case where an old nspawn invokes a new PID 1: in this case
things work as they always worked: the dir is managed together.
For the case where different container manager invokes a new PID 1: in
this case the nodes aren't typically passed in, and PID 1 in the
container will try to create them and will likely fail partially (though
gracefully) when trying to create char/block device nodes. THis is fine
though as there are fallbacks in place for that case.
For the case where a new nspawn invokes an old PID1: this is were the
(minor) incompatibily happens: in this case new nspawn will place the
nodes in the /run/host/inaccessible/ subdir, but the PID 1 in the
container won't look for them there. Since the nodes are also not
pre-created in /run/systed/inaccessible/ PID 1 will try to create them
there as if a different container manager sets them up. This is of
course not sexy, but is not a total loss, since as mentioned fallbacks
are in place anyway. Hence I think it's OK to accept this minor
incompatibility.
(cherry picked from commit 9fac502920a648d82e21b207989bfc3c00fbdebc)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Upon reception of a message which fails in json_parse(), we would proceed to
parse it again from a deferred callback and hang. Once we have realized that
the message is invalid, let's move the pointer in the buffer even if the
message is invalid. We don't want to look at this data again.
(before) $ build-rawhide/userdbctl --output=json user test.user
n/a: varlink: setting state idle-client
/run/systemd/userdb/io.systemd.Multiplexer: Sending message: {"method":"io.systemd.UserDatabase.GetUserRecord","parameters":{"userName":"test.user","service":"io.systemd.Multiplexer"}}
/run/systemd/userdb/io.systemd.Multiplexer: varlink: changing state idle-client → awaiting-reply
/run/systemd/userdb/io.systemd.Multiplexer: New incoming message: {...}
/run/systemd/userdb/io.systemd.Multiplexer: varlink: changing state awaiting-reply → pending-disconnect
/run/systemd/userdb/io.systemd.Multiplexer: New incoming message: {...}
/run/systemd/userdb/io.systemd.Multiplexer: varlink: changing state pending-disconnect → disconnected
^C
(after) $ n/a: varlink: setting state idle-client
/run/systemd/userdb/io.systemd.Multiplexer: Sending message: {"method":"io.systemd.UserDatabase.GetUserRecord","parameters":{"userName":"test.user","service":"io.systemd.Multiplexer"}}
/run/systemd/userdb/io.systemd.Multiplexer: varlink: changing state idle-client → awaiting-reply
/run/systemd/userdb/io.systemd.Multiplexer: New incoming message: {...}
/run/systemd/userdb/io.systemd.Multiplexer: Failed to parse JSON: Invalid argument
/run/systemd/userdb/io.systemd.Multiplexer: varlink: changing state awaiting-reply → pending-disconnect
/run/systemd/userdb/io.systemd.Multiplexer: varlink: changing state pending-disconnect → processing-disconnect
Got lookup error: io.systemd.Disconnected
/run/systemd/userdb/io.systemd.Multiplexer: varlink: changing state processing-disconnect → disconnected
Failed to find user test.user: Input/output error
This should fix #16683 and https://bugs.gentoo.org/735072.
(cherry picked from commit 77472d06a4740d820ebccdb04e217d6b7d66dd50)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We would reject various passwords that glibc accepts, for example ""
or any descrypted password. Accounts with empty password are definitely
useful, for example for testing or in scenarios where a password is not
needed. Also, using weak encryption methods is probably not a good idea,
it's not the job of our nss helpers to decide that: they should just
faithfully forward whatever data is there.
Also rename the function to make it more obvious that the returned answer
is not in any way certain.
(cherry picked from commit 8f796e40a561bd9200fde3c8885e6255a2dd4250)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Instead of assuming that more-recently modified directories have higher mtime,
just look for any mtime changes, up or down. Since we don't want to remember
individual mtimes, hash them to obtain a single value.
This should help us behave properly in the case when the time jumps backwards
during boot: various files might have mtimes that in the future, but we won't
care. This fixes the following scenario:
We have /etc/systemd/system with T1. T1 is initially far in the past.
We have /run/systemd/generator with time T2.
The time is adjusted backwards, so T2 will be always in the future for a while.
Now the user writes new files to /etc/systemd/system, and T1 is updated to T1'.
Nevertheless, T1 < T1' << T2.
We would consider our cache to be up-to-date, falsely.
(cherry picked from commit c2911d48ff0fc61fb3cfab7050110992a7390417)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
N_DEVICE_NODE_LIST_ATTEMPTS is unconditionally used since version 246 and
https://github.com/systemd/systemd/commit/ac1f3ad05f7476ae58981dcba45dfeb2c0006824
However, this variable is only defined if HAVE_BLKID is set resulting in
the following build failure if cryptsetup is enabled but not libblkid:
../src/shared/dissect-image.c:1336:34: error: 'N_DEVICE_NODE_LIST_ATTEMPTS' undeclared (first use in this function)
1336 | for (unsigned i = 0; i < N_DEVICE_NODE_LIST_ATTEMPTS; i++) {
|
Fixes:
- http://autobuild.buildroot.org/results/67782c225c08387c1bbcbea9eee3ca12bc6577cd
(cherry picked from commit 28e2641a1aa506c5df93c7a0cb107aed8297b45e)
|
|
|
|
| |
(cherry picked from commit 66bff73b4f91f8d2fdd385f9f1e2b6339055c9e4)
|
|
|
|
|
|
| |
Fixes https://github.com/coreos/ignition/issues/1064.
(cherry picked from commit 47ab95fe4315b3f7ee5a3694460a744bb88c52fd)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We return BUS_ERROR_NO_SUCH_UNIT a.k.a. org.freedesktop.systemd1.NoSuchUnit
in various places. In #16813:
Aug 22 06:14:48 core sudo[2769199]: pam_systemd_home(sudo:account): Failed to query user record: Unit dbus-org.freedesktop.home1.service not found.
Aug 22 06:14:48 core dbus-daemon[5311]: [system] Activation via systemd failed for unit 'dbus-org.freedesktop.home1.service': Unit dbus-org.freedesktop.home1.service not found.
Aug 22 06:14:48 core dbus-daemon[5311]: [system] Activating via systemd: service name='org.freedesktop.home1' unit='dbus-org.freedesktop.home1.service' requested by ':1.6564' (uid=0 pid=2769199 comm="sudo su ")
This particular error comes from bus_unit_validate_load_state() in pid1:
case UNIT_NOT_FOUND:
return sd_bus_error_setf(error, BUS_ERROR_NO_SUCH_UNIT, "Unit %s not found.", u->id);
It seems possible that we should return a different error, but it doesn't really
matter: if we change pid1 to return a different error, we still need to handle
BUS_ERROR_NO_SUCH_UNIT as in this patch to handle pid1 with current code.
(cherry picked from commit 73d3ac8e2440cda3b7f2310f329f0798de6c041c)
|